Domino Consulting - HCL Domino Administrator 11.0.1 Help

SECURING

Configuring user name mapping when you manage Domino users through Active Directory

Follow the steps in this topic to configure user name mapping for a Windows™ single sign-on environment if you manage HCL Domino® user information primarily through Active Directory. This configuration requires you to add users' HCL Notes® distinguished names to Active Directory user accounts.

Procedure

1. In a directory assistance database, create an LDAP directory assistance document to use to connect to the Active Directory server.

Table 1. Important Fields in an LDAP Directory Assistance Document

Tab	Field	Value	Comment
Basics	Make this domain available to	Notes clients and Internet Authentication/Authorization	Required LDAP Clients is optional
Basics	Group Authorization	Yes or No	Select Yes if you want to use Active Directory groups in database ACLs.
Basics	Attribute to be used as name in an SSO token	$DN	Required only if there is an IBM® WebSphere® SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names. Requires Map names in LTPA token to be enabled in the Web SSO Configuration document. Ensures proper SSO operation for servers that authenticate users against Active Directory.
Basics - SSO configuration	Windows single sign-on for Web clients	Enabled	Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with Attribute to be used as Notes Distinguished Name, allows the user's Kerberos identity to be associated with the Domino name.
Basics - SSO configuration	Kerberos realm	Active Directory domain	Specify in uppercase characters, for example, AD.RENOVATIONS.COM.
Naming Contexts (Rules)	Trusted for Credentials	Yes
LDAP	Attribute to be used as Notes Distinguished Name	attribute	Attribute in Active Directory that stores users' Notes distinguished names. A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the `altSecurityIdentities` attribute, if not already in use for another purpose. A directory synchronization tool such asIBM Tivoli® Directory Integrator can be used to populate the attribute with the Notes names. The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example: `cn=Betty Zechman,ou=Marketing,o=Renovations` rather than `cn=Betty Zechman/ou=Marketing/o=Renovations` Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.
LDAP	Type of search filter to use	Active Directory

2. If users have Person documents in the Domino Directory, make the following edits to them. Person documents are optional for Web users who are not HCL iNotes® users.

Table 2. Edits Needed in Person Documents

Tab

Field

Value

Comment

Basics

Internet Password

(HTTPPassword)

None (recommended)

password-hash

If desired, remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
When password removed, set directory access to prevent users from adding passwords themselves.
When password removed, Domino verifies user passwords in Active Directory in situations when Windows single sign-on is not available.

3. If users have Domino Person documents but you do not include their Domino Internet passwords in them, disable the following Internet password settings in users' effective Security Settings policy document:

Table 3. Settings to Disable in Users' Effective Security Settings Policy Document

Tab	Field	Value	Comment
Password Management Basics	Allow Users to Change Internet Password over HTTP	No	The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.
Password Management Basics	Update Internet Password When Notes client Password Changes	No
Password Management Basics	Enforce Password Expiration	Disabled or Notes Only

4. On the Security -> Internet Access tab of the Server documents of participating Domino servers, for Internet authentication, select Fewer name variations with higher security.

5. If some SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:

Table 4. Web SSO Configuration Settings

Tab	Field	Value	Comment
Basics - Token Configuration	Map names in LTPA tokens	Enabled	Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources. Used to ensure functioning SSO at servers that authenticate the user against Active Directory.

Parent topic: Configuring user name mapping in a Windows single sign-on for Web clients environment

Help on Help

All Help Contents

Help on Help

All Help Contents